Buffer overflow in wall(1).

This affected syslogd, wall and talkd.
Detected by FORTIFY_SOURCE GSoC (with clang).

Submitted by:	Oliver Pinter
Differential Revision:	https://reviews.freebsd.org/D3254
Reviewed by:	delphij, jmg
MFC after:	3 days

diff --git a/usr.bin/wall/ttymsg.c b/usr.bin/wall/ttymsg.c
index 37b09e9e95d613e994d19bcb17ad7ff1362e852b..1317a4b0cb603dd9f0fc96e26d877adc6879be3c 100644 (file)
--- a/usr.bin/wall/ttymsg.c
+++ b/usr.bin/wall/ttymsg.c
@@ -62,7 +62,7 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout)
        struct iovec localiov[7];
        ssize_t left, wret;
        int cnt, fd;
-       static char device[MAXNAMLEN] = _PATH_DEV;
+       char device[MAXNAMLEN] = _PATH_DEV;
        static char errbuf[1024];
        char *p;
        int forked;
@@ -71,8 +71,8 @@ ttymsg(struct iovec *iov, int iovcnt, const char *line, int tmout)
        if (iovcnt > (int)(sizeof(localiov) / sizeof(localiov[0])))
                return ("too many iov's (change code in wall/ttymsg.c)");
 
+       strlcat(device, line, sizeof(device));
        p = device + sizeof(_PATH_DEV) - 1;
-       strlcpy(p, line, sizeof(device));
        if (strncmp(p, "pts/", 4) == 0)
                p += 4;
        if (strchr(p, '/') != NULL) {